– CJEU Ruling Strengthens the Role of Consent and Right to Erasure –
On 17th November, the CJEU ruled on the question of telecommunication data storage and access for law enforcement purposes in the case of Spetsializirana prokuratura. As to the facts of the case, the specialized prosecution asked the specialized criminal court to grant it access to the traffic and location data of five individuals, who ware suspected of having committed the criminal offence of illegally selling cigarettes. On the one hand, the specialized criminal court was concerned that the CJEU had ruled that the indiscriminate and general retention of traffic and location data is not compatible with Union law. On the other hand, it noted that the Bulgarian Constitutional Court had ruled that Bulgarian legal provisions on the retention on telecommunication data are compatible with the Bulgarian Constitution, because the general and indiscriminate retention is limited to six months, it is allowed only in relation to serious crime, the law strictly regulates the conditions and safeguards on access to the retained data by the law enforcement authorities, and telecommunication providers have to implement adequate security requirements. The court also noted, however, that Bulgarian legal norms do not envisage a notification requirement to the concerned data subject or provisions on the right to effective remedies. Hence, the specialized criminal court asked the CJEU to interpret the relevant Bulgarian provisions against the background of Article 15(1) e-Privacy Directive and Articles 13 and 54 Law Enforcement Directive (LED), which concern the right to information and the right to effective remedies, respectively. The Court ruled as follows. First, the Court concluded that Article 15(1) e-Privacy Directive, read in light of Articles 7, 8 and 52(1) CFREU, does not allow national provisions which require the general and indiscriminate storage of traffic and location data, even only for the purposes of fighting serious crime, even where the retention is limited to six months, and even where there are safeguards around access to the stored data. Second, the Court ruled that the Bulgarian provisions are incompatible with Article 15(1) e-Privacy Directive, read in light of Articles 7, 8 and 52(1) CFREU, also because they do not clearly state that the access to the retained data by the law enforcement authorities should be restricted only to what is strictly necessary to achieving the designated purpose of the data storage. Third, the Court ruled that Article 15 (1) e-Privacy Directive, read in light of Articles 7, 8 and 52(1) CFREU and Articles 13 and 54 LED, should be interpreted to mean that it does not allow national legislation which does not envisage a right to notification to the individuals whose data have been accessed by the law enforcement authorities, unless the exceptions to this type of information under Article 13(3) LED apply, and where it does not provide for effective remedies against unlawful access by law enforcement authorities to the stored data.
Please note that at the time of the writing, the ruling was available only in Bulgarian and French.
– EDPS Issues Opinion on European Media Freedom Act –
On 11th November, the EDPS issued ‘Opinion 24/2022 on the Proposal for a Regulation establishing a common framework for media services in the internal market (European Media Freedom Act) and amending Directive 2010/13/EU’. The Proposal ‘aims to improve the functioning of the internal media market, particularly by fostering cross-border activity and investment in media services, increasing regulatory cooperation and convergence, facilitating the provision of quality media services and ensuring a transparent and fair allocation of economic resources in the internal media market.’ In principle, the EDPS ‘welcomes the aim of the Proposal to address…challenges and to provide additional safeguards for media freedom and pluralism.’ The EDPS, however, also makes a number of comments and recommendations on the proposal. These fall under five headings: i)’Subject matter and scope’ – including recommending that ‘all journalists, including free-lance or self-employed, would fall within the scope of the future Regulation and thus could also be able to rely on a robust protection of journalistic sources and communication’; ii) ‘Deployment of surveillance technologies’ – including the recommendation to ‘further define and restrict the possibility to waive the protection of journalistic sources and communications, in line with the principles of strict necessity and proportionality, taking into account the case law of the Court of Justice of the European Union and of the European Court of Human Rights.’; iii) ‘Independent oversight and cooperation between supervisory authorities’ – including the recommendation to ‘explicitly set out specific independence guarantees of the designated authorities or bodies under Article 4(3), such as protection against direct or indirect external influence, sufficient resources, etc.’; iv) ‘Publication of personal data of beneficial owners’ – including the recommendation to ensure ‘that the list of categories of information to be made available be clearly defined and explicitly outlined in the future Regulation’; and v) ‘Exchange of information between national regulatory authorities or bodies’ – including the recommendation to ‘explicitly clarify whether any personal data would be processed’. The Proposal deals with an important issue and the Opinion offers much to think about.
– EDPS Issues Opinion on Cybersecurity –
On 9th November, the EDPS issued ‘Opinion 23/2022 on the Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020’. As to the scope of the Proposal, the EDPS notes that whilst ‘the NIS2 Directive included in its scope of application operators of essential services and digital services providers in order to establish a high common level of cybersecurity of their ICT systems, the Proposal at hand would introduce common cybersecurity rules for manufacturers and developers of products with digital elements, covering both hardware and software.’ The EDPS is generally positive that the Proposal focuses on data security, which is also a requirement under the GDPR. Nevertheless, he makes the following nine recommendations:
‘(1) to include the data protection by design and by default principle in the essential
cybersecurity requirements of products with digital elements;
(2) to explain in the preamble the importance of products with digital elements that perform
cryptographic operations, including encryption at rest and in transit and pseudonymisation
that are necessary for effective information security, cybersecurity, data protection and
privacy;
(3) to add in Annex II tangible and intangible products with digital elements that perform
cryptographic operations;
(4) to delete Regulation (EU) 2017/745 from the list of the legislations excluded from the
application of the Proposal;
(5) to clarify expressly in the Proposal what are the elements of the essential requirements
referred to by Article 3(3)(e) of Directive 2014/53/EU on personal data and privacy;
(6) to specify in the operational part of the Proposal the practical aspects related to the creation of synergies on both standardisation and certification on cybersecurity as well as synergies between this Proposal and the Union data protection law in the area of market surveillance and enforcement;
(7) to clarify that the Proposal does not seek to affect the application of existing EU laws
governing the processing of personal data, including the tasks and powers of the independent supervisory authorities competent to monitor compliance with those instruments;
(8) to add relevant definitions of ‘free software’, ‘open source software’ and ‘free and open
source software’;
(9) to clarify in recital of the Proposal that obtaining a European cybersecurity certification
under the Proposal does not guarantee compliance with the GDPR.’
– EDPB Holds 71st Plenary Meeting –
On 14th November, the EDPB held its 71st Plenary Meeting. During the meeting, it adopted ‘Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR)’, which are open to consultation until 10th January 2023. In addition, the EDPB discussed the following key topics:
- ‘GPA 2022 in Istanbul’;
- ‘Guidelines on Blockchain’;
- ‘Implications of the PNR judgement of the CJEU (Case C‑817/19)’.
The Recommendations are already available on the EDPB’s website.
– CNIL on Health Data Processing –
On 14th November, the CNIL issued a set of observations concerning the conditions under which supplemental health insurance bodies can collect personal data. The observations follow from a significant number of complaints received by the CNIL concerning the activities of a number of such health insurance companies regarding their processing of personal data. In particular, complaints concerned the possibility for companies to access medical data generated in relation to patient follow-up and in relation to the reimbursement of healthcare. In this regard, the CNIL made a number of observations, including highlighting the need: i) for more clarity in the law governing the collection of health data; ii) to address the inadequacy of provisions concerning medical confidentiality; and iii) for a new law regarding the exchange of the information in question. Unfortunately, at the time of writing, the press release was not available in a language in which the author is fluent. The author has thus relied on electronic translation. Whilst this is not ideal, the editors found the release interesting and worthy of discussion and thus made the decision to include it in this news-letter. The authors cannot, however, rule out the possibility that errors were made in translation or that these errors were reproduced in this report. Accordingly, the authors urge all readers interested in the decision to consult the primary materials themselves.